Stronger data loss penalties give channel a chance
Changes to the penalties faced by Data Protection Act offenders could open up major opportunities for the channel
Collier: DPA changes could help VARs differentiate
The way companies store and manage their data is a practice governed by various pieces of legislation and guidance. From April, organisations that fail to comply with the Data Protection Act (DPA) 1998 could find themselves on the receiving end of a £500,000 penalty.
The government has also just closed a public consultation on whether sentences of up to 12 months imprisonment should be handed out to those found guilty of reckless or knowing data misuse.
High-profile data losses
The introduction of this hardline approach follows several high-profile cases of data loss and misuse in recent years. Last July, banking giant HSBC was fined £3m by the Financial Services Authority (FSA) for losing unencrypted disks containing the personal information of thousands of customers.
The hope is that tougher penalties will encourage end users to manage their data in ways that will reduce instances of data loss of this magnitude.
However, Lloyd Joseph, sales manager at IT consultancy technologygroup, believes that until another HSBC-type data loss hits the headlines, organisations will not give the new penalties much thought.
“When a high-profile company or government organisation loses some important data and gets penalised for it, that is when you will see other firms start to take notice,” he says.
This view is shared by Alan Calder, chief executive of compliance specialist IT Governance, who thinks it will take five to 10 “significant fines” of non-compliant organisations for others to take the risks seriously.
“Our sense is that most companies are aware they are supposed to comply with the DPA and that there are [at the moment] no serious penalties for failing
to do so,” says Calder. “We also suspect that few realise this will soon no longer
be the case.”
Even if they are aware of the penalties, adds Joseph, there is no guarantee that a public slap on the wrist for a high-profile offender will be enough to convince end users to take action.
“A lot of organisations will weigh up the risk of doing nothing and if it is not deemed high enough, they will not be compelled to spend money on tackling the problem,” he says.
Guidance from the channel
Dan Orchard, business development manager at specialist distributor Zycko, believes that those citing cost as a reason not to act could benefit from some guidance from the channel about the range of storage solutions on the market.
“This is an area where the channel can take a lead by explaining to end users that there are solutions out there to suit all budgets and business sizes,” says Orchard.
The channel also has a duty of care to its customers to make sure they are up to date with the upcoming changes to the penalties associated with Data Protection Act breaches, because “regulatory changes are not always communicated very well” to them, according to Orchard.
This can be achieved through VAR-mediated marketing campaigns that alert end users to the changes, and also explain how resellers can help them to adapt.
If such a campaign attracts the attention of end users, this may create opportunities for VARs – should organisations act on finding out that their data storage methods do not comply, says Orchard.
Yet before any progress with customers can be made, resellers must ensure their offerings are legally sound, warns Calder.
“They should first take action to ensure that their operations are compliant with the DPA and [once this is established] should be identifying how their products will help their customers comply with the law, because it might give t hem a competitive edge,” says Calder.
Conversing confidently
Matthew Yeager, practice leader in data storage and protection at reseller Computacenter, agrees that VARs will also need to be capable of conversing confidently with end users on compliance issues.
VARs should look into allying with legal specialists to make sure the products they promote are suitable.
“We regularly get asked for help from customers on these issues and we often take advice from solicitors specialising in the area to ensure the solutions we deploy tick all the boxes from a legal and regulatory point of view,” says Yeager.
Lynn Collier, director of file and content service solutions at Hitachi Data Systems (HDS), says the benefits of this approach are not just limited to customers getting better product. “VARs are always looking for ways to differentiate themselves within the marketplace and the ability to discuss issues of corporate governance is going to add value to the engagements they have with their customers.”
Collier says VARs also need to bear in mind the other forms of regulation that dictate the way end users store, manage and access their data, and that storage capacity needs vary from business to business.
Stewart Room, a partner in the privacy and information law group at law firm Field Fisher Waterhouse, says: “There are thousands of laws that require companies to keep accurate records that can be easily accessed, including the Freedom of Information Act and the Companies Act.”
Room says that because electronic documents can be easily altered, VARs should include various features in their storage offerings that ensure the records their clients keep stay within the law.
“You need a system that captures all relevant records, enables a complete search and retrieval, guards against misuse and monitors the activities of those with access to the files,” he says. “In broad terms, if you have these in place, you will have satisfied the legal requirements.”
Any storage system also needs to be future-proof and scalable, adds Yeager: “End users do not want to be in a situation where they have made an investment in a solution, only to find it is no longer fit for purpose should any new regulations come in later down the line.”
Andy Cordial, managing director of storage vendor Origin Storage, says the s ecurity of data stored on portable devices and the risk this poses to regulatory compliance is one final area VARs need to address ahead of the introduction of the new DPA penalties.
“There really is no reason for a corporate-level business to have unencrypted data stored on a notebook in the public domain,” says Cordial. “The data stored on USBs and notebook PCs should always be encrypted in some way.”
However, he warns that encryption is not always a foolproof way to protect data. Organisations also need to consider the value of authenticating users more than once to gain entry into the system.
“Encryption offers a level of protection, but to really get data locked down on a portable device, dual authentication is absolutely essential,” says Cordial.
Data breaches cost UK firms £64 per file lost